[Zope-dev] Suggestion for small(?) change in BaseRequest.py.
Security effects?
Lennart Regebro
regebro at nuxeo.com
Fri Sep 3 06:05:38 EDT 2004
Dieter Maurer wrote:
> Lennart Regebro wrote at 2004-9-2 12:38 +0200:
>
>>...
>>Are there any other problems with NOT raising an exception in
>>unathorized(). Becuase if there is, we probably limit the possible
>>challenge responses to a redirect, and then this change makes no difference.
>
>
> If the traversal made any changes to persistent state, then
> these changes are committed rather than aborted.
>
> Usually, traversal should not change the persistent state -- but...
Would the transaction.abort() addition suggested by Tino be enough to
solve that?
More information about the Zope-Dev
mailing list